Security

How Praxiko handles your data

Praxiko runs on Australian-hosted infrastructure with privacy-by-default settings. The trust signals below are factual — security copy will be tightened as Praxiko's compliance posture matures, but the underlying shape is fixed. Australia is the current launch market; the same security posture applies to clinicians working in any English-language clinical context.

Trust signals

  • Australian data residency

    All practitioner and client data is stored in Supabase's Sydney region (ap-southeast-2). Data residency is locked at project creation — moving regions is not a configuration toggle. This aligns with Australian Privacy Act expectations for handling health information onshore.

  • HTTPS enforced at the TLD level

    Praxiko runs on the .app top-level domain, which is on the HSTS preload list — every major browser refuses to connect over plain HTTP regardless of how a link is shared. There is no insecure path to Praxiko.

  • Encryption at rest and in transit

    Database storage and managed object storage are encrypted at rest by default. All network traffic between client devices, Praxiko's edge, and the database is encrypted in transit over TLS.

  • Row-level access controls

    Every table that touches user data is scoped at the database level by enterprise (clinic). Practitioners cannot read or write data outside the enterprise their hat belongs to, even if an application-layer bug attempted to. This is enforced by Postgres row-level security policies, not by application code alone.

  • Stores and surfaces; doesn't interpret

    Praxiko stores and surfaces clinical information. It doesn't score symptoms, generate treatment recommendations, or auto-flag check-in answers. The practitioner interprets; the software keeps the record. That line is deliberate — it keeps Praxiko on the right side of medical-device regulation, and it keeps the clinical judgment where it belongs. Australia is the current launch market; the AHPRA advertising guidelines shape what Praxiko publishes about regulated health services here, and equivalent regimes apply in other English-language jurisdictions.

  • Authentication

    Sign-in uses single-use one-time codes delivered by email. Sessions are validated server-side against Supabase Auth on every request — cookies alone are never trusted.

Reporting a security issue

If you believe you've found a security vulnerability, email security@praxiko.app with details. Praxiko reviews reports promptly and will coordinate disclosure once a fix has shipped.